trailofbits/PrivacyRaven trailofbits/PrivacyRaven

  • Stars
    star
    178
  • Rank 208,133 (Top 5 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created almost 4 years ago
  • Updated 10 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
trailofbits/PrivacyRaven
github

trailofbits

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Privacy Testing for Deep Learning

PrivacyRaven Logo

Note: This project is on hiatus.

PrivacyRaven is a privacy testing library for deep learning systems. You can use it to determine the susceptibility of a model to different privacy attacks; evaluate privacy preserving machine learning techniques; develop novel privacy metrics and attacks; and repurpose attacks for data provenance and other use cases.

PrivacyRaven supports label-only black-box model extraction, membership inference, and (soon) model inversion attacks. We also plan to include differential privacy verification, automated hyperparameter optimization, more classes of attacks, and other features; see the GitHub issues for more information. PrivacyRaven has been featured at the OpenMined Privacy Conference, Empire Hacking, and Trail of Bits blog.

Why use PrivacyRaven?

Deep learning systems, particularly neural networks, have proliferated in a wide range of applications, including privacy-sensitive use cases such as facial recognition and medical diagnoses. However, these models are vulnerable to privacy attacks that target both the intellectual property of the model and the confidentiality of the training data. Recent literature has seen an arms race between privacy attacks and defenses on various systems. And until now, engineers and researchers have not had the privacy analysis tools they need to rival this trend. Hence, we developed PrivacyRaven- a machine learning assurance tool that aims to be:

  • Usable: Multiple levels of abstraction allow users to either automate much of the internal mechanics or directly control them, depending on their use case and familiarity with the domain.
  • Flexible: A modular design makes the attack configurations customizable and interoperable. It also allows new privacy metrics and attacks to be incorporated straightforwardly.
  • Efficient: PrivacyRaven reduces the boilerplate, affording quick prototyping and fast experimentation. Each attack can be launched in fewer than 15 lines of code.

How does it work?

PrivacyRaven partitions each attack into multiple customizable and optimizable phases. Different interfaces are also provided for each attack. The interface shown below is known as the core interface. PrivacyRaven also provides wrappers around specific attack configurations found in the literature and a run-all-attacks feature.

Here is how you would launch a model extraction attack in PrivacyRaven:

#examples/extract_mnist_gpu.py
import privacyraven as pr
from privacyraven.utils.data import get_emnist_data
from privacyraven.extraction.core import ModelExtractionAttack
from privacyraven.utils.query import get_target
from privacyraven.models.victim import train_four_layer_mnist_victim
from privacyraven.models.four_layer import FourLayerClassifier

# Create a query function for a target PyTorch Lightning model
model = train_four_layer_mnist_victim()


def query_mnist(input_data):
    # PrivacyRaven provides built-in query functions
    return get_target(model, input_data, (1, 28, 28, 1))


# Obtain seed (or public) data to be used in extraction
emnist_train, emnist_test = get_emnist_data()

# Run a model extraction attack
attack = ModelExtractionAttack(
    query_mnist, # query function
    200,  # query limit
    (1, 28, 28, 1), # victim input shape
    10, # number of targets
    (3, 1, 28, 28),  # substitute input shape
    "copycat", # synthesizer name
    FourLayerClassifier, # substitute model architecture
    784,  # substitute input size
    emnist_train, # seed train data
    emnist_test, # seed test data
)

Since the only main requirement from the victim model is a query function, PrivacyRaven can be used to attack a wide range of models regardless of the framework and distribution method. The other classes of attacks can be launched in a similar fashion. See the examples folder for more information.

Want to use PrivacyRaven?

  1. Install poetry.
  2. Git clone this repository.
  3. Run poetry update
  4. Run poetry install.

If you'd like to use a Jupyter Notebook environment, run poetry shell followed by jupyter notebook.

Additionally, if you'd like to run PrivacyRaven in a Docker container, run chmod +x build.sh followed by ./build.sh. Note that depending on the amount of resources you allocate to Docker, PrivacyRaven's performance may be drastically impacted.

Feel free to join our #privacyraven channel in Empire Hacking if you need help using or extending PrivacyRaven. The official pip release will arrive soon.

Please note that PrivacyRaven is still early in development and is undergoing rapid changes. Users are advised to update frequently and avoid applying PrivacyRaven to critical use cases.

Want to contribute to PrivacyRaven?

PrivacyRaven is still a work-in-progress. We invite you to contribute however you can whether you want to incorporate a new synthesis technique or make an attack function more readable. Please visit CONTRIBUTING.md to get started.

Why is it called PrivacyRaven?

The raven has been associated with a variety of concepts in different cultures through time. Among these, the raven is commonly associated with prophecy and insight. Naturally, we named the tool PrivacyRaven because it is designed to provide insights into the privacy of deep learning.

Who maintains PrivacyRaven?

The core maintainers are:

License

This library is available under the Apache License 2.0. For an exception to the terms, please contact us.

References

While PrivacyRaven was built upon a plethora of research on attacking machine learning privacy, the research most critical to the development of PrivacyRaven are:

Appearances

This is a list of publications, presentations, blog posts, and other public-facing media discussing PrivacyRaven.

More Repositories

1

algo

Set up a personal VPN in the cloud
Jinja
27,779
star
2

manticore

Symbolic execution tool
Python
3,536
star
3

graphtage

A semantic diff utility and library for tree-like files such as JSON, JSON5, XML, HTML, YAML, and CSV.
Python
2,300
star
4

ctf

CTF Field Guide
C
1,273
star
5

publications

Publications from Trail of Bits
Python
1,232
star
6

deepstate

A unit test-like interface for fuzzing and symbolic execution
Python
806
star
7

pe-parse

Principled, lightweight C/C++ PE parser
C++
691
star
8

eth-security-toolbox

A Docker container preconfigured with all of the Trail of Bits Ethereum security tools.
Dockerfile
648
star
9

maat

Open-source symbolic execution framework: https://maat.re
C++
606
star
10

twa

A tiny web auditor with strong opinions.
Shell
579
star
11

winchecksec

Checksec, but for Windows: static detection of security mitigations in executables
C++
523
star
12

cb-multios

DARPA Challenges Sets for Linux, Windows, and macOS
C
498
star
13

polytracker

An LLVM-based instrumentation tool for universal taint tracking, dataflow analysis, and tracing.
C++
487
star
14

onesixtyone

Fast SNMP Scanner
C
411
star
15

tubertc

Peer-to-Peer Video Chat for Corporate LANs
JavaScript
361
star
16

krf

A kernelspace syscall interceptor and randomized faulter
C
346
star
17

vast

VAST is an experimental compiler pipeline designed for program analysis of C and C++. It provides a tower of IRs as MLIR dialects to choose the best fit representations for a program analysis or further program abstraction.
C++
340
star
18

fickling

A Python pickling decompiler and static analyzer
Python
330
star
19

polyfile

A pure Python cleanroom implementation of libmagic, with instrumented parsing from Kaitai struct and an interactive hex viewer
Python
322
star
20

it-depends

A tool to automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories.
Python
313
star
21

sinter

A user-mode application authorization system for MacOS written in Swift
Swift
302
star
22

SecureEnclaveCrypto

Demonstration library for using the Secure Enclave on iOS
Swift
276
star
23

protofuzz

Google Protocol Buffers message generator
Python
262
star
24

dylint

A tool for running Rust lints from dynamic libraries
Rust
259
star
25

osquery-extensions

osquery extensions by Trail of Bits
C
256
star
26

constexpr-everything

Rewrite C++ code to automatically apply `constexpr` where possible
C++
245
star
27

binjascripts

Scripts for Binary Ninja
Python
241
star
28

RpcInvestigator

Exploring RPC interfaces on Windows
C#
236
star
29

audit-kubernetes

k8s audit repo
Go
226
star
30

mishegos

A differential fuzzer for x86 decoders
C++
219
star
31

semgrep-rules

Semgrep queries developed by Trail of Bits.
Go
197
star
32

circomspect

A static analyzer and linter for the Circom zero-knowledge DSL
Rust
186
star
33

llvm-sanitizer-tutorial

An LLVM sanitizer tutorial
C++
177
star
34

siderophile

Find the ideal fuzz targets in a Rust codebase
Rust
171
star
35

flying-sandbox-monster

Sandboxed, Rust-based, Windows Defender Client
Rust
170
star
36

not-going-anywhere

A set of vulnerable Golang programs
Go
163
star
37

AppJailLauncher

CTF Challenge Framework for Windows 8 and above
C++
141
star
38

zkdocs

Interactive documentation on zero-knowledge proof systems and related primitives.
HTML
133
star
39

sienna-locomotive

A user-friendly fuzzing and crash triage tool for Windows
C++
132
star
40

uthenticode

A cross-platform library for verifying Authenticode signatures
C++
131
star
41

ObjCGraphView

A graph view plugin for Binary Ninja to visualize Objective-C
Python
127
star
42

Honeybee

An experimental high performance, fuzzing oriented Intel Processor Trace capture and analysis suite
C
124
star
43

sqlite_wrapper

An easy-to-use, extensible and lightweight C++17 wrapper for SQLite
C++
117
star
44

ctf-challenges

CTF Challenges
Python
112
star
45

ebpfpub

ebpfpub is a generic function tracing library for Linux that supports tracepoints, kprobes and uprobes.
C++
110
star
46

pasta

Peter's Amazing Syntax Tree Analyzer
C++
109
star
47

appjaillauncher-rs

AppJailLauncher in Rust
Rust
103
star
48

vscode-weaudit

Create code bookmarks and code highlights with a click.
TypeScript
103
star
49

test-fuzz

To make fuzzing Rust easy
Rust
100
star
50

on-edge

A library for detecting certain improper uses of the "Defer, Panic, and Recover" pattern in Go programs
Go
97
star
51

ios-integrity-validator

Integrity validator for iOS devices
Shell
97
star
52

abi3audit

Scans Python packages for abi3 violations and inconsistencies
Python
94
star
53

ebpfault

A BPF-based syscall fault injector
C++
93
star
54

binrec-tob

BinRec: Dynamic Binary Lifting and Recompilation
C++
92
star
55

clang-cfi-showcase

Sample programs that illustrate how to use control flow integrity with the clang compiler
C++
92
star
56

BTIGhidra

Binary Type Inference Ghidra Plugin
Java
88
star
57

blight

A framework for instrumenting build tools
Python
83
star
58

ManticoreUI

The Manticore User Interface with plugins for Binary Ninja and Ghidra
Python
71
star
59

bisc

Borrowed Instructions Synthetic Computation
Ruby
70
star
60

manticore-examples

Example Manticore scripts
Python
69
star
61

algo-ng

Experimental version of Algo built on Terraform
HCL
68
star
62

differ

Detecting Inconsistencies in Feature or Function Evaluations of Requirements
Python
64
star
63

deceptiveidn

Use computer vision to determine if an IDN can be interpreted as something it's not
Python
63
star
64

necessist

A tool for finding bugs in tests
Rust
59
star
65

reverie

An efficient and generalized implementation of the IKOS-style KKW proof system (https://eprint.iacr.org/2018/475) for arbitrary rings.
Rust
57
star
66

magnifier

C++
56
star
67

ruzzy

A coverage-guided fuzzer for pure Ruby code and Ruby C extensions
Ruby
53
star
68

awesome-ml-security

52
star
69

sixtyfour

How fast can we brute force a 64-bit comparison?
C
52
star
70

LeftoverLocalsRelease

The public release of LeftoverLocals code
C++
51
star
71

Codex-Decompiler

Python
50
star
72

DomTreSat

Dominator Tree LLVM Pass to Test Satisfiability
C++
47
star
73

nyc-infosec

Mapping the NYC Infosec Community
CSS
43
star
74

cfg-showcase

Sample programs that illustrate how to use Control Flow Guard, VS2015's control flow integrity implementation
C++
40
star
75

tsc_freq_khz

Linux kernel driver to export the TSC frequency via sysfs
C
40
star
76

HVCI-loldrivers-check

PowerShell
40
star
77

rubysec

RubySec Field Guide
Ruby
40
star
78

indurative

Easily create authenticated data structures
Haskell
37
star
79

http-security

Parse HTTP Security Headers
Ruby
36
star
80

trailofphish

Phishing e-mail repository
Ruby
36
star
81

KRFAnalysis

Collection of LLVM passes and triage tools for use with the KRF fuzzer
LLVM
34
star
82

spf-query

Ruby SPF Parser
Ruby
30
star
83

ebpf-verifier

Harness for the Linux kernel eBPF verifier
C
30
star
84

umberto

poststructural fuzzing
Haskell
30
star
85

ebpf-common

Various utilities useful for developers writing BPF tools
C++
28
star
86

clang-tidy-audit

Rewrite C/C++/Obj-C to Annotate Points of Interest
C++
27
star
87

macroni

C and C++ compiler frontend using PASTA to parse code, and VAST to represent the code as MLIR.
C
27
star
88

eatmynetwork

A small script for running programs with (minimal) network sandboxing
Shell
26
star
89

anselm

Detect patterns of bad behavior in function calls
C++
25
star
90

dmarc

Ruby DMARC Parser
Ruby
25
star
91

testing-handbook

Trail of Bits Testing Handbook
C++
25
star
92

btfparse

A C++ library that parses debug information encoded in BTF format
C++
22
star
93

linuxevents

A sample PoC for container-aware exec events for osquery
C++
22
star
94

mpc-learning

Perform multi-party computation on machine learning applications
Python
21
star
95

go-mutexasserts

A small library that allows to check if Go mutexes are locked
Go
21
star
96

screen

Measure branching along code paths
C
20
star
97

tacklebox

Phishing Toolkit
Ruby
20
star
98

itergator

CodeQL library and queries for iterator invalidation
CodeQL
19
star
99

WinDbg-JS

JavaScript
19
star
100

dkim-query

Ruby DKIM Parser
Ruby
18
star